GAO finds major vulnerabilities in 3 state exchange websites

Investigators at the Government Accountability Office (GAO) found notable vulnerabilities in the health insurance exchange websites of three states--California, Kentucky and Vermont--which could put hundreds of thousands of customers' personal information at risk, according to the Associated Press.

GAO discovered the security flaws in September and alerted state officials, the article says. The GAO believes that because it found so many vulnerabilities in just these three states, other exchanges could also be vulnerable. In addition, the agency has urged federal regulators to improve privacy controls for the federal exchange, Healthcare.gov.

The report did not specify which state had which security flaw, but the AP said one state did not encrypt passwords, one state did not use any filters to block potential hostile website visits and one state did not use proper encryption. Kentucky's former governor, Steve Beshear, said that time restricted state officials from fixing problems the GAO identified with his state's exchange, but that no data breach ever occured.

Covered California Executive Director Peter Lee made a simliar point in a letter he sent to Congress in October, though he noted that in a few instances personal information may have been compromised due to human error or other mistakes, the article says. But Lee added that since the GAO report, state officials have put more focus on scanning the state's exchange to find any security threats.

"Protecting data is our highest priority," Lee wrote in his letter. "From day one, Covered California has followed the rigorous guidelines outlined in federal and state security regulations designed to protect our consumers' private information."